This release note describes the features, modifications, and caveats for the Cisco IOS XE 3.5.0E software on the Catalyst 4500-X Series switch. This releases delivers new software and hardware innovations in campus access and aggregation deployments that span across many technologies, including enhanced support for IPv6, security, high availability, and IP multicast.

Cisco IOS Software Release XE 3.5.0E is part of the new software releases on Cisco Catalyst 2960S, 2960C, 3560C, 3750-X, 3560-X, 4500E and 4500-X, 4900M, and 4948E/E-F Series Switches. These releases deliver new software and hardware innovations in campus access and aggregation deployments that span across many technologies, including enhanced support for IPv6, security, high availability, and IP multicast.

Support for Cisco IOS XE Release 3.5.0E follows the standard Cisco Systems® support policy, available at

Support for Layer 3 MEC—VSS with Layer 3 Multichassis EtherChannel (MEC) at the aggregation layer

Support for VSLP Fast Hello—With VSLP Fast Hello, the Catalyst 4500-X configured for VSS can now connect Access Switches that do not support the ePAgP protocol.

Support for VSL Encryption

Yes

Yes

Virtual Trunking Protocol (VTP) - Pruning

Yes

Yes

VLAN Access Control List (VACL)

Yes

Yes

VLAN MAC Address Filtering

Yes

Yes

VLAN Mapping (VLAN Translation)

Yes

Yes

VRF-aware TACACS+

No

Yes

VRF-lite for IPv6 on OSPF/ BGP/ EIGRP

No

Yes

VTP (Virtual Trunking Protocol) Version 2

Yes

Yes

VTP Version 3

Yes

Yes

WCCP Version 2

Yes

Yes

Web Authentication Proxy

Yes

Yes

Webauth Enhancements

Yes

Yes

Wireshark-based Ethernet Analyzer

Yes

Yes

XML-PI

Yes

Yes

1.EEE 802.1t—An IEEE amendment to IEEE 802.1D that includes extended system ID, long path cost, and PortFast.

2.When either Source or Prefix Guard for IPv6 is enabled, ICMPv6 packets are unrestricted on all Catalyst 4500 series switch platforms running IOS Cisco Release 15.2(1)E. All other traffic types are restricted.

3.IP Base supports only one OSPFv2 and one OSPFv3 instance with a maximum number of 1000 dynamically learned routes.

4.OSPF for Routed Access supports only one OSPFv2 and one OSPFv3 instance with a maximum number of 1000 dynamically learned routes

Note When either Source or Prefix Guard for IPv6 is enabled, ICMPv6 packets are unrestricted on all Catalyst 4500 series switch platforms running IOS Cisco Release 15.2(1)E. All other traffic types are restricted.

Limitations and Restrictions

More than 16K QoS policies can be configured in software. Only the first 16K are installed in hardware.

Adjacency learning (through ARP response frames) is restricted to roughly 1000 new adjacencies per second, depending on CPU utilization. This should only impact large networks on the first bootup. After adjacencies are learned they are installed in hardware.

Multicast fastdrop entries are not created when RPF failure occurs with IPv6 multicast traffic. In a topology where reverse path check failure occurs with IPv6 multicast, this may cause high CPU utilization on the switch.

The SNMP ceImageFeature object returns a similar feature list for all the three license levels (IP Base and EntServices). Although the activated feature set for a universal image varies based on the installed feature license, the value displayed by this object is fixed and is not based on the feature license level.

Standard TFTP implementation limits the maximum size of a file that can be transferred to 32 MB. If ROMMON is used to boot an IOS image that is larger than 32 MB, the TFTP transfer fails at the 65,xxx datagram.

TFTP numbers its datagrams with a 16 bit field, resulting in a maximum of 65,536 datagrams. Because each TFTP datagram is 512 bytes long, the maximum transferable file is 65536 x 512 = 32 MB. If both the TFTP client (ROMMON) and the TFTP server support block number wraparound, no size limitation exists.

Cisco has modified the TFTP client to support block number wraparound. So, if you encounter a transfer failure, use a TFTP server that supports TFTP block number wraparound. Because most implementations of TFTP support block number wraparound, updating the TFTP daemon should fix the issue.

A XML-PI specification file entry does not return the desired CLI output.

The outputs of certain commands, such as show ip route and show access-lists, contain non-deterministic text. While the output is easily understood, the output text does not contain strings that are consistently output. A general purpose specification file entry is unable to parse all possible output.

Workaround (1):

While a general purpose specification file entry may not be possible, a specification file entry might be created that returns the desired text by searching for text that is guaranteed to be in the output. If a string is guaranteed to be in the output, it can be used for parsing.

For example, the output of the show ip access-lists SecWiz_Gi3_17_out_ip command is this:

Extended IP access list SecWiz_Gi3_17_out_ip

10 deny ip 76.0.0.0 0.255.255.255 host 65.65.66.67

20 deny ip 76.0.0.0 0.255.255.255 host 44.45.46.47

30 permit ip 76.0.0.0 0.255.255.255 host 55.56.57.57

The first line is easily parsed because access list is guaranteed to be in the output:

Request the output of the show running-config command using NETCONF and parse that output for the desired strings. This is useful when the desired lines contain nothing in common. For example, the rules in this access list do not contain a common string and the order (three permits, then a deny, then another permit), prevent the spec file entry from using permit as a search string, as in the following example:

If multicast is configured and you make changes to the configuration, Traceback and CPUHOG messages are displayed if the following conditions exist:

– At least 10K groups and roughly 20K mroutes exist.

– IGMP joins with source traffic transit to all the multicast groups.

This is caused by the large number of updates generating SPI messages that must be processed by the CPU to ensure that the platform is updated with the changes in all the entries.

Workaround: None. CSCti20312

With traffic running, entering clear ip mroute * with larger number of mroutes and over 6 OIFs will cause Malloc Fail messages to display.

You cannot clear a large number of mroutes at one time when traffic is still running.

Workaround: Do not clear all mroutes at once.

CSCtn06753

Although you can configure subsecond PIM query intervals on Catalyst 4500 platforms, such an action represents a compromise between convergence (reaction time) and a number of other factors (number of mroutes, base line of CPU utilization, CPU speed, processing overhead per 1 m-route, etc.). You must account for those factors when configuring subsecond PIM timers. We recommend that you set the PIM query interval to a minimum of 2 seconds. By adjusting the available parameters, you can achieve flawless operation; that is, a top number of multicast routes per given convergence time on a specific setup.

Energywise WOL is not “waking up” a PC in hibernate or standby mode.

Workaround: None. CSCtr51014

When OSPFv3 LSA throttling is configured, rate limiting does not take effect for a few minutes.

WorkAround: None. CSCtw86319

The ROMMON version number column in the output of show module command is truncated.

The system cannot scale to greater than 512 SIP flows with MSP and metadata enabled.

Workaround: None. CSCty79236

When either the RADIUS-server test feature is enabled or RADIUS-server dead-criteria is configured, and either RADIUS-server deadtime is set to 0 or not configured, the RADIUS-server status is not properly relayed to AAA.

Workaround: Configure both dead-criteria and deadtime.

radius-server dead-criteria

radius-server deadtime

CSCtl06706

If you use the quick option in the issu changeversion command, the following might occur:

– Links flap for various Layer 3 protocols.

– A traffic loss of several seconds is observed during the upgrade process.

Workaround: Do not use the quick option with the issu changeversion command. CSCto51562

While configuring an IPv6 access-list, if you specify hardware statistics as the first statement in v6 access-list mode (i.e. before issuing any other v6 ACE statement), it will not take effect. Similarly, your hardware statistics configuration will be missing from the output of the show running command.

When an IPv6 FHS policy is applied on a VLAN and an EtherChannel port is part of that VLAN, packets received by EtherChannel (from neighbors) are not bridged across the local switch.

Workaround: Apply FHS policies on a non EtherChannel port rather than a VLAN. CSCua53148

During VSS conversion, the switch intended as the Standby device may require up to 9 minutes to reach an SSO state. The boot up time depends on the configuration and on the number of line cards in the system.

Workaround: None. CSCua87538

An incorrect module number is displayed in the console messages during boot up of a Cat4500X VSS.

Because the Catalyst 4500-X is a “fixed” configuration device, in a VSS, you would expect the two systems to be labeled 'Module 1' and 'Module 2.’ However, because of software implementation similarities with the modular Catalyst 4500E series switches, the Standby switch is labeled 'Module 11.’

Workaround: None. CSCub11632

Memory allocation failures can occur if more than 16K IPv6 multicast snooping entries are present.

Workaround: None. CSCuc77376

Beginning with IOS Release XE 3.5.0E, error messages that occur when a QoS policy is applied will no longer appear directly on the console when no logging console is configured. They will appear only when a logging method is active (e.g., logging buffered, logging console, …).

Workaround: None. CSCuf86375

Setting a cos value based on QoS group triggers the following error message in a VSS system

set action fail = 9

Workaround: None. QoS groups are not supported in VSS. CSCuc84739

Auto negotiation cannot be disabled on the Fa1 port. It must be set to auto/auto, or fixed speed with duplex auto.

Open Caveats for Cisco IOS XE Release 3.5.3E

When an SNMP query includes the cpmCPUProcessHistoryTable, the query time is very slow, and CPU utilization of the os_info_p process (OS Information provider) increases substantially. The query time of an almost fully populated table is 68 minutes.

Workaround: None. CSCth42248

The show ipv6 access-list command displays incorrect match counts when multicast traffic is matched to an IPv6 access list that is attached to an SVI.

Workaround: None. CSCth65129

When you configure open authentication and perform SSO, the spanning tree state and MAC address are not synchronized to the new standby supervisor engine. This behavior interrupts traffic only after the second switchover because the new standby supervisor engine possesses the wrong state after the initial switchover and the second switchover starts the port in the blocking state.

Workaround: Enter shut and no shut on the port to synchronize the STP state. CSCtf52437

Dynamic buffer limiting might not function at queue limits less than or equal to 128.

Workaround: Increase the queue limit to at least 256. CSCto57602

A device in a guest VLAN that is connected behind a phone capable of 2nd-port-notification experiences packet loss following a SSO failover. The device experiences an authentication restart after the first CDP frame arrives from the phone.

Workaround: None. CSCto46018

If you perform an OIR on a line card, several %C4K_RKNOVA-4-INVALIDTOKENEXPIRED messages appear in the logs.

Workaround: None. CSCtu37959

When you enable both Cisco TrustSec and RADIUS accounting, a disparity occurs between the RADIUS client (Cisco switch) and the RADIUS/CTS server in how the authenticator field in the header is computed for DOT1X/RADIUS accounting messages.

A Cisco IOS AAA client uses the PAC secret to compute the authenticator; Cisco Secure ACS 5.2 uses the shared secret. This behavior causes a mismatch that results in a rejection of the accounting message, and the client marks the server as unresponsive.

Workaround: None. You must disable 802.1X accounting. CSCts26844

When more than one Equal Cost Multipath (ECMP) is available on the downstream switch, and Mediatrace is invoked to provide flow statistics, the dynamic policy does not display flow statistics.

Mediatrace cannot find the correct inbound interface and applies the dynamic policy on a different interface from the one used for media flow.

Workaround: None. CSCts20229

When you add a "bfd" suffix to the snmp server host x.x.x.x configuration command, the BFD traps, ciscoBfdSessUp and ciscoBfdSessDown, are not generated.

Workaround: Do not specify a "bfd" suffix with the snmp-server host x.x.x.x configuration command. CSCtx51561

Workaround: Remove the Catalyst 4500-X module by first pressing the Ejector button for 10 seconds until the light turns green. CSCty67871

Caution: If you remove the module without following this procedure, the system always shuts down (or fails). Always use the Ejector button.

For the 10-Gigabit interface on a Catalyst 4500-X switch, link flaps are observed if the debounce interval is defined with the link debounce time command to within 1 second of the pulse interval.

For example, if the pulse interval is 250 ms and the debounce interval is 500 ms, then the delta is 250 ms and the debounce will be ineffective.

Workaround: Define a debounce interval that is at least 1 second greater than the incoming pulse interval. CSCtx75188

In a multichassis port channel on a VSS system with a very high number of link up and down events that occur within a second and typically causes an error-disable event, only the ports on the active switch are error-disabled due to flaps.

Workaround: None. CSCuc36612

If you enter the show spi-fc 12 command, a crash occurs.

Workaround: Use the show spi-fc all command to dump all SPI channel information. CSCuc81286

When you enter the ip pim register-rate-limit command, the following error message displays:

'Failed to configure service policy on register tunnel' and 'STANDBY:Failed to configure service policy on register tunnel'.

These messages are typically observed during SSO, bootup, or when a PIM-enabled interface undergoes a state transition on a switch containing Bidir PIM state entries.

Workaround: None. CSCud39208

Sometimes, after VSS comes up, the control links display different VSL links.

Workaround: Convert the VSS member switch to standalone and bring up VSS again. CSCug86547...Predator and K10

An IPv6 BFD session flaps if you configure a 100 * 3 timer value.

Workaround: Set the BFD timer and multiplier as 100 * 5. CSCuh35017

BFD supports 300ms and time values exceeding (100 * 3).

Workaround: None. CSCuh19345

Policer and Classification statistics do not increment during ISSU runversion when you downgrade from IOS Release XE 3.5.0E.

Workaround: This issue is transient. Policer and Classification statistics are available after ISSU completes. CSCuh90975

When a queuing policy is applied to a Layer 3 MEC member port, queuing statistics do not increment.

Workaround: None CSCuh76328

In a VSS (virtual switching system) setup, the show switch virtual link EXEC command displays VSL control link port numbers on different VSLs (virtual switching links) rather then displaying port numbers on the same link.

Workaround: Convert the VSS to a standalone setup. CSCug86547

A switch crashes when the you enter the show power inline module 1 and show power inline module 1 detail commands in two different telnet sessions and reset the linecard using a third telnet session.

Workaround: Reset the term length to 0 on the vty session. CSCuf08112

On configuring power inline consumption, the show power inline command might not display the values of the power consumed by the PD.

Workaround: Shut then no shut the interface. CSCue72897

The match application name and collect application name commands appear as available for flow record configuration (e.g., when using the ? help listings). However, this configuration is otherwise unsupported: the show flow monitor monitor-name cache command shows the application name as 'unknown,’ and the application table is not exported, so this field cannot be decoded when exported.

Workaround: Do not configure the application name field as a key or non-key field of a flow record. CSCue47944

Occasionally, when the VSL goes down on a VSS with fast-hello based dual-active detection, the Layer 2 convergence time exceeds the Layer 2 convergence time observed with e-pagp based dual-active detection by 20ms.

However, the Layer 2 convergence time of the former stills meet the sub-second convergence criteria.

CPU utilization rises and the console may hang on simultaneously executing the following commands from either two VTY's session, or from a Console and a VTY session.

show proc cpu <sorted|detailed|history>

show redundancy <>

show tech-support

Workaround: Execute these commands in a single session.

If you plan to execute those commands sequentially, close the console session before executing the show tech-support command. CSCuh15561

If no vlan.dat exists on both source and destination, the sync command fails (i.e., the synchronization between flash to sdflash or sdflash to flash doesn't happen).

Workarounds:

– Skip the vlan.dat check.

– Rename any config.text files as vlan.dat file. CSCue61001

While either performing an ISSU upgrade from XE 3.4.0 (or earlier) to XE 3.5.0 or performing a downgrade from XE 3.5.0 to an earlier release, the following “authmgr mtu mismatch” error messages might display:

After kron performs a write of the startup-config (e.g. 'write mem'), it is locked indefinitely (i.e., the startup-config and running-config are unavailable):

switch# show run

Unable to get configuration. Try again later.

Workaround; Reload the switch.

To avoid this condition, use EEM with the timer event to schedule the required task.

CSCtk68692

Resolved Caveats for Cisco IOS XE Release 3.5.3E

None

Open Caveats for Cisco IOS XE Release 3.5.2E

When an SNMP query includes the cpmCPUProcessHistoryTable, the query time is very slow, and CPU utilization of the os_info_p process (OS Information provider) increases substantially. The query time of an almost fully populated table is 68 minutes.

Workaround: None. CSCth42248

The show ipv6 access-list command displays incorrect match counts when multicast traffic is matched to an IPv6 access list that is attached to an SVI.

Workaround: None. CSCth65129

When you configure open authentication and perform SSO, the spanning tree state and MAC address are not synchronized to the new standby supervisor engine. This behavior interrupts traffic only after the second switchover because the new standby supervisor engine possesses the wrong state after the initial switchover and the second switchover starts the port in the blocking state.

Workaround: Enter shut and no shut on the port to synchronize the STP state. CSCtf52437

Dynamic buffer limiting might not function at queue limits less than or equal to 128.

Workaround: Increase the queue limit to at least 256. CSCto57602

A device in a guest VLAN that is connected behind a phone capable of 2nd-port-notification experiences packet loss following a SSO failover. The device experiences an authentication restart after the first CDP frame arrives from the phone.

Workaround: None. CSCto46018

If you perform an OIR on a line card, several %C4K_RKNOVA-4-INVALIDTOKENEXPIRED messages appear in the logs.

Workaround: None. CSCtu37959

When you enable both Cisco TrustSec and RADIUS accounting, a disparity occurs between the RADIUS client (Cisco switch) and the RADIUS/CTS server in how the authenticator field in the header is computed for DOT1X/RADIUS accounting messages.

A Cisco IOS AAA client uses the PAC secret to compute the authenticator; Cisco Secure ACS 5.2 uses the shared secret. This behavior causes a mismatch that results in a rejection of the accounting message, and the client marks the server as unresponsive.

Workaround: None. You must disable 802.1X accounting. CSCts26844

When more than one Equal Cost Multipath (ECMP) is available on the downstream switch, and Mediatrace is invoked to provide flow statistics, the dynamic policy does not display flow statistics.

Mediatrace cannot find the correct inbound interface and applies the dynamic policy on a different interface from the one used for media flow.

Workaround: None. CSCts20229

When you add a "bfd" suffix to the snmp server host x.x.x.x configuration command, the BFD traps, ciscoBfdSessUp and ciscoBfdSessDown, are not generated.

Workaround: Do not specify a "bfd" suffix with the snmp-server host x.x.x.x configuration command. CSCtx51561

Workaround: Remove the Catalyst 4500-X module by first pressing the Ejector button for 10 seconds until the light turns green. CSCty67871

Caution: If you remove the module without following this procedure, the system always shuts down (or fails). Always use the Ejector button.

For the 10-Gigabit interface on a Catalyst 4500-X switch, link flaps are observed if the debounce interval is defined with the link debounce time command to within 1 second of the pulse interval.

For example, if the pulse interval is 250 ms and the debounce interval is 500 ms, then the delta is 250 ms and the debounce will be ineffective.

Workaround: Define a debounce interval that is at least 1 second greater than the incoming pulse interval. CSCtx75188

In a multichassis port channel on a VSS system with a very high number of link up and down events that occur within a second and typically causes an error-disable event, only the ports on the active switch are error-disabled due to flaps.

Workaround: None. CSCuc36612

If you enter the show spi-fc 12 command, a crash occurs.

Workaround: Use the show spi-fc all command to dump all SPI channel information. CSCuc81286

When you enter the ip pim register-rate-limit command, the following error message displays:

'Failed to configure service policy on register tunnel' and 'STANDBY:Failed to configure service policy on register tunnel'.

These messages are typically observed during SSO, bootup, or when a PIM-enabled interface undergoes a state transition on a switch containing Bidir PIM state entries.

Workaround: None. CSCud39208

Sometimes, after VSS comes up, the control links display different VSL links.

Workaround: Convert the VSS member switch to standalone and bring up VSS again. CSCug86547...Predator and K10

An IPv6 BFD session flaps if you configure a 100 * 3 timer value.

Workaround: Set the BFD timer and multiplier as 100 * 5. CSCuh35017

BFD supports 300ms and time values exceeding (100 * 3).

Workaround: None. CSCuh19345

Policer and Classification statistics do not increment during ISSU runversion when you downgrade from IOS Release XE 3.5.0E.

Workaround: This issue is transient. Policer and Classification statistics are available after ISSU completes. CSCuh90975

When a queuing policy is applied to a Layer 3 MEC member port, queuing statistics do not increment.

Workaround: None CSCuh76328

In a VSS (virtual switching system) setup, the show switch virtual link EXEC command displays VSL control link port numbers on different VSLs (virtual switching links) rather then displaying port numbers on the same link.

Workaround: Convert the VSS to a standalone setup. CSCug86547

A switch crashes when the you enter the show power inline module 1 and show power inline module 1 detail commands in two different telnet sessions and reset the linecard using a third telnet session.

Workaround: Reset the term length to 0 on the vty session. CSCuf08112

On configuring power inline consumption, the show power inline command might not display the values of the power consumed by the PD.

Workaround: Shut then no shut the interface. CSCue72897

The match application name and collect application name commands appear as available for flow record configuration (e.g., when using the ? help listings). However, this configuration is otherwise unsupported: the show flow monitor monitor-name cache command shows the application name as 'unknown,’ and the application table is not exported, so this field cannot be decoded when exported.

Workaround: Do not configure the application name field as a key or non-key field of a flow record. CSCue47944

Occasionally, when the VSL goes down on a VSS with fast-hello based dual-active detection, the Layer 2 convergence time exceeds the Layer 2 convergence time observed with e-pagp based dual-active detection by 20ms.

However, the Layer 2 convergence time of the former stills meet the sub-second convergence criteria.

CPU utilization rises and the console may hang on simultaneously executing the following commands from either two VTY's session, or from a Console and a VTY session.

show proc cpu <sorted|detailed|history>

show redundancy <>

show tech-support

Workaround: Execute these commands in a single session.

If you plan to execute those commands sequentially, close the console session before executing the show tech-support command. CSCuh15561

If no vlan.dat exists on both source and destination, the sync command fails (i.e., the synchronization between flash to sdflash or sdflash to flash doesn't happen).

Workarounds:

– Skip the vlan.dat check.

– Rename any config.text files as vlan.dat file. CSCue61001

While either performing an ISSU upgrade from XE 3.4.0 (or earlier) to XE 3.5.0 or performing a downgrade from XE 3.5.0 to an earlier release, the following “authmgr mtu mismatch” error messages might display:

Open Caveats for Cisco IOS XE Release 3.5.1E

When an SNMP query includes the cpmCPUProcessHistoryTable, the query time is very slow, and CPU utilization of the os_info_p process (OS Information provider) increases substantially. The query time of an almost fully populated table is 68 minutes.

Workaround: None. CSCth42248

The show ipv6 access-list command displays incorrect match counts when multicast traffic is matched to an IPv6 access list that is attached to an SVI.

Workaround: None. CSCth65129

When you configure open authentication and perform SSO, the spanning tree state and MAC address are not synchronized to the new standby supervisor engine. This behavior interrupts traffic only after the second switchover because the new standby supervisor engine possesses the wrong state after the initial switchover and the second switchover starts the port in the blocking state.

Workaround: Enter shut and no shut on the port to synchronize the STP state. CSCtf52437

Dynamic buffer limiting might not function at queue limits less than or equal to 128.

Workaround: Increase the queue limit to at least 256. CSCto57602

A device in a guest VLAN that is connected behind a phone capable of 2nd-port-notification experiences packet loss following a SSO failover. The device experiences an authentication restart after the first CDP frame arrives from the phone.

Workaround: None. CSCto46018

If you perform an OIR on a line card, several %C4K_RKNOVA-4-INVALIDTOKENEXPIRED messages appear in the logs.

Workaround: None. CSCtu37959

When you enable both Cisco TrustSec and RADIUS accounting, a disparity occurs between the RADIUS client (Cisco switch) and the RADIUS/CTS server in how the authenticator field in the header is computed for DOT1X/RADIUS accounting messages.

A Cisco IOS AAA client uses the PAC secret to compute the authenticator; Cisco Secure ACS 5.2 uses the shared secret. This behavior causes a mismatch that results in a rejection of the accounting message, and the client marks the server as unresponsive.

Workaround: None. You must disable 802.1X accounting. CSCts26844

When more than one Equal Cost Multipath (ECMP) is available on the downstream switch, and Mediatrace is invoked to provide flow statistics, the dynamic policy does not display flow statistics.

Mediatrace cannot find the correct inbound interface and applies the dynamic policy on a different interface from the one used for media flow.

Workaround: None. CSCts20229

When you add a "bfd" suffix to the snmp server host x.x.x.x configuration command, the BFD traps, ciscoBfdSessUp and ciscoBfdSessDown, are not generated.

Workaround: Do not specify a "bfd" suffix with the snmp-server host x.x.x.x configuration command. CSCtx51561

Workaround: Remove the Catalyst 4500-X module by first pressing the Ejector button for 10 seconds until the light turns green. CSCty67871

Caution: If you remove the module without following this procedure, the system always shuts down (or fails). Always use the Ejector button.

For the 10-Gigabit interface on a Catalyst 4500-X switch, link flaps are observed if the debounce interval is defined with the link debounce time command to within 1 second of the pulse interval.

For example, if the pulse interval is 250 ms and the debounce interval is 500 ms, then the delta is 250 ms and the debounce will be ineffective.

Workaround: Define a debounce interval that is at least 1 second greater than the incoming pulse interval. CSCtx75188

In a multichassis port channel on a VSS system with a very high number of link up and down events that occur within a second and typically causes an error-disable event, only the ports on the active switch are error-disabled due to flaps.

Workaround: None. CSCuc36612

If you enter the show spi-fc 12 command, a crash occurs.

Workaround: Use the show spi-fc all command to dump all SPI channel information. CSCuc81286

When you enter the ip pim register-rate-limit command, the following error message displays:

'Failed to configure service policy on register tunnel' and 'STANDBY:Failed to configure service policy on register tunnel'.

These messages are typically observed during SSO, bootup, or when a PIM-enabled interface undergoes a state transition on a switch containing Bidir PIM state entries.

Workaround: None. CSCud39208

Sometimes, after VSS comes up, the control links display different VSL links.

Workaround: Convert the VSS member switch to standalone and bring up VSS again. CSCug86547...Predator and K10

An IPv6 BFD session flaps if you configure a 100 * 3 timer value.

Workaround: Set the BFD timer and multiplier as 100 * 5. CSCuh35017

BFD supports 300ms and time values exceeding (100 * 3).

Workaround: None. CSCuh19345

Policer and Classification statistics do not increment during ISSU runversion when you downgrade from IOS Release XE 3.5.0E.

Workaround: This issue is transient. Policer and Classification statistics are available after ISSU completes. CSCuh90975

When a queuing policy is applied to a Layer 3 MEC member port, queuing statistics do not increment.

Workaround: None CSCuh76328

In a VSS (virtual switching system) setup, the show switch virtual link EXEC command displays VSL control link port numbers on different VSLs (virtual switching links) rather then displaying port numbers on the same link.

Workaround: Convert the VSS to a standalone setup. CSCug86547

A switch crashes when the you enter the show power inline module 1 and show power inline module 1 detail commands in two different telnet sessions and reset the linecard using a third telnet session.

Workaround: Reset the term length to 0 on the vty session. CSCuf08112

On configuring power inline consumption, the show power inline command might not display the values of the power consumed by the PD.

Workaround: Shut then no shut the interface. CSCue72897

The match application name and collect application name commands appear as available for flow record configuration (e.g., when using the ? help listings). However, this configuration is otherwise unsupported: the show flow monitor monitor-name cache command shows the application name as 'unknown,’ and the application table is not exported, so this field cannot be decoded when exported.

Workaround: Do not configure the application name field as a key or non-key field of a flow record. CSCue47944

Occasionally, when the VSL goes down on a VSS with fast-hello based dual-active detection, the Layer 2 convergence time exceeds the Layer 2 convergence time observed with e-pagp based dual-active detection by 20ms.

However, the Layer 2 convergence time of the former stills meet the sub-second convergence criteria.

CPU utilization rises and the console may hang on simultaneously executing the following commands from either two VTY's session, or from a Console and a VTY session.

show proc cpu <sorted|detailed|history>

show redundancy <>

show tech-support

Workaround: Execute these commands in a single session.

If you plan to execute those commands sequentially, close the console session before executing the show tech-support command. CSCuh15561

If no vlan.dat exists on both source and destination, the sync command fails (i.e., the synchronization between flash to sdflash or sdflash to flash doesn't happen).

Workarounds:

– Skip the vlan.dat check.

– Rename any config.text files as vlan.dat file. CSCue61001

While either performing an ISSU upgrade from XE 3.4.0 (or earlier) to XE 3.5.0 or performing a downgrade from XE 3.5.0 to an earlier release, the following “authmgr mtu mismatch” error messages might display:

– Toggle ipv6 snooping ON and OFF again under "vlan configuration 1" soon after bootup.

CSCuj73571

Provided an HTTP server is enabled on a switch, a vulnerability exists in Cisco IOS switches where the remote, non-authenticated attacker can cause Denial of Service (DoS) by reloading an affected device.

An attacker can exploit this vulnerability by sending a special combination of crafted packets.

Workaround: None

PSIRT Evaluation:

The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.4/4.2:

When the same ACL is installed on two ports of a switch and a user is unauthenticated or logged out, the ACS-configured dynamic ACLs are not applied or deleted from the port.

Workaround: None CSCuj99722

A Dynamic ACL with a remark statement is not pushed from ISE to client and authorization either fails or is unauthorized.

Workaround: Remove the remark statement from the DACL. CSCuj35704

When you enable either the device-sensor accounting or the access-session accounting attributes command, the accounting request itself is not sent from the switch to the radius (ISE) Server.

Workaround: Do not enable device-sensor accounting.

The user accounting message will not carry the device-sensor attributes to the ISE.

CSCuj56845

On a Catalyst 4500 VSS using IOS Release XE 3.4.0SG to 3.4.2SG, or 3.5.0E, the show platform command may be truncated with a "Timed out" message and may rarely produce an unexpected reload. The likelihood of a reload increases if the command is issued over an SSH session or if the output is redirected to a file. The same behavior is observed using IOS Release XE 3.5.0 and the show tech command.

Workaround: None. CSCul00025

Open Caveats for Cisco IOS XE Release 3.5.0E

When an SNMP query includes the cpmCPUProcessHistoryTable, the query time is very slow, and CPU utilization of the os_info_p process (OS Information provider) increases substantially. The query time of an almost fully populated table is 68 minutes.

Workaround: None. CSCth42248

The show ipv6 access-list command displays incorrect match counts when multicast traffic is matched to an IPv6 access list that is attached to an SVI.

Workaround: None. CSCth65129

When you configure open authentication and perform SSO, the spanning tree state and MAC address are not synchronized to the new standby supervisor engine. This behavior interrupts traffic only after the second switchover because the new standby supervisor engine possesses the wrong state after the initial switchover and the second switchover starts the port in the blocking state.

Workaround: Enter shut and no shut on the port to synchronize the STP state. CSCtf52437

Dynamic buffer limiting might not function at queue limits less than or equal to 128.

Workaround: Increase the queue limit to at least 256. CSCto57602

A device in a guest VLAN that is connected behind a phone capable of 2nd-port-notification experiences packet loss following a SSO failover. The device experiences an authentication restart after the first CDP frame arrives from the phone.

Workaround: None. CSCto46018

If you perform an OIR on a line card, several %C4K_RKNOVA-4-INVALIDTOKENEXPIRED messages appear in the logs.

Workaround: None. CSCtu37959

When you enable both Cisco TrustSec and RADIUS accounting, a disparity occurs between the RADIUS client (Cisco switch) and the RADIUS/CTS server in how the authenticator field in the header is computed for DOT1X/RADIUS accounting messages.

A Cisco IOS AAA client uses the PAC secret to compute the authenticator; Cisco Secure ACS 5.2 uses the shared secret. This behavior causes a mismatch that results in a rejection of the accounting message, and the client marks the server as unresponsive.

Workaround: None. You must disable 802.1X accounting. CSCts26844

When more than one Equal Cost Multipath (ECMP) is available on the downstream switch, and Mediatrace is invoked to provide flow statistics, the dynamic policy does not display flow statistics.

Mediatrace cannot find the correct inbound interface and applies the dynamic policy on a different interface from the one used for media flow.

Workaround: None. CSCts20229

When you add a "bfd" suffix to the snmp server host x.x.x.x configuration command, the BFD traps, ciscoBfdSessUp and ciscoBfdSessDown, are not generated.

Workaround: Do not specify a "bfd" suffix with the snmp-server host x.x.x.x configuration command. CSCtx51561

Workaround: Remove the Catalyst 4500-X module by first pressing the Ejector button for 10 seconds until the light turns green. CSCty67871

Caution: If you remove the module without following this procedure, the system always shuts down (or fails). Always use the Ejector button.

For the 10-Gigabit interface on a Catalyst 4500-X switch, link flaps are observed if the debounce interval is defined with the link debounce time command to within 1 second of the pulse interval.

For example, if the pulse interval is 250 ms and the debounce interval is 500 ms, then the delta is 250 ms and the debounce will be ineffective.

Workaround: Define a debounce interval that is at least 1 second greater than the incoming pulse interval. CSCtx75188

In a multichassis port channel on a VSS system with a very high number of link up and down events that occur within a second and typically causes an error-disable event, only the ports on the active switch are error-disabled due to flaps.

Workaround: None. CSCuc36612

If you enter the show spi-fc 12 command, a crash occurs.

Workaround: Use the show spi-fc all command to dump all SPI channel information. CSCuc81286

When you enter the ip pim register-rate-limit command, the following error message displays:

'Failed to configure service policy on register tunnel' and 'STANDBY:Failed to configure service policy on register tunnel'.

These messages are typically observed during SSO, bootup, or when a PIM-enabled interface undergoes a state transition on a switch containing Bidir PIM state entries.

Workaround: None. CSCud39208

Sometimes, after VSS comes up, the control links display different VSL links.

Workaround: Convert the VSS member switch to standalone and bring up VSS again. CSCug86547...Predator and K10

An IPv6 BFD session flaps if you configure a 100 * 3 timer value.

Workaround: Set the BFD timer and multiplier as 100 * 5. CSCuh35017

BFD supports 300ms and time values exceeding (100 * 3).

Workaround: None. CSCuh19345

Policer and Classification statistics do not increment during ISSU runversion when you downgrade from IOS Release XE 3.5.0E.

Workaround: This issue is transient. Policer and Classification statistics are available after ISSU completes. CSCuh90975

When a queuing policy is applied to a Layer 3 MEC member port, queuing statistics do not increment.

Workaround: None CSCuh76328

In a VSS (virtual switching system) setup, the show switch virtual link EXEC command displays VSL control link port numbers on different VSLs (virtual switching links) rather then displaying port numbers on the same link.

Workaround: Convert the VSS to a standalone setup. CSCug86547

A switch crashes when the you enter the show power inline module 1 and show power inline module 1 detail commands in two different telnet sessions and reset the linecard using a third telnet session.

Workaround: Reset the term length to 0 on the vty session. CSCuf08112

On configuring power inline consumption, the show power inline command might not display the values of the power consumed by the PD.

Workaround: Shut then no shut the interface. CSCue72897

The match application name and collect application name commands appear as available for flow record configuration (e.g., when using the ? help listings). However, this configuration is otherwise unsupported: the show flow monitor monitor-name cache command shows the application name as 'unknown,’ and the application table is not exported, so this field cannot be decoded when exported.

Workaround: Do not configure the application name field as a key or non-key field of a flow record. CSCue47944

Occasionally, when the VSL goes down on a VSS with fast-hello based dual-active detection, the Layer 2 convergence time exceeds the Layer 2 convergence time observed with e-pagp based dual-active detection by 20ms.

However, the Layer 2 convergence time of the former stills meet the sub-second convergence criteria.

CPU utilization rises and the console may hang on simultaneously executing the following commands from either two VTY's session, or from a Console and a VTY session.

show proc cpu <sorted|detailed|history>

show redundancy <>

show tech-support

Workaround: Execute these commands in a single session.

If you plan to execute those commands sequentially, close the console session before executing the show tech-support command. CSCuh15561

If no vlan.dat exists on both source and destination, the sync command fails (i.e., the synchronization between flash to sdflash or sdflash to flash doesn't happen).

Workarounds:

– Skip the vlan.dat check.

– Rename any config.text files as vlan.dat file. CSCue61001

While either performing an ISSU upgrade from XE 3.4.0 (or earlier) to XE 3.5.0 or performing a downgrade from XE 3.5.0 to an earlier release, the following “authmgr mtu mismatch” error messages might display:

While performing an ISSU upgrade from a prior release (like upgrading IOS Release XE 3.3.0SG (or 3.4.0SG) to 3.5.0E) the following message are displayed several times on the switch console:

%CTS-3-MSG_NOT_COMPATIBLE_WITH_PEER: STANDBY:Message 2 in component 3 is not compatible with the peer.

This behavior does not impact functionality.

Workaround: None. CSCuh47387

When a command's paginated output is sent into a pipe on a switch using VSS, console control is not returned.

Workarounds:

1. Use terminal length 0 to turn off pagination.

2. Use any key other than Enter or Space. CSCui44781

IPv6 Source Guard does not block packets from IP sources that are not in the binding table.

Workaround: None CSCug79180

On a Catalyst 4500 VSS using IOS Release XE 3.4.0SG to 3.4.2SG, or 3.5.0E, the show platform command may be truncated with a "Timed out" message and may rarely produce an unexpected reload. The likelihood of a reload increases if the command is issued over an SSH session or if the output is redirected to a file. The same behavior is observed using IOS Release XE 3.5.0 and the show tech command.

Workaround: None. CSCul00025

UDE does not function at 1Gbps.

Workaround: None. CSCuj56314

If BFD sessions are hardware offloaded in a VSS, BFD sessions undergo re-negotiation after a VSS switchover.

Workaround: None. CSCug62308

If BFD is configured in a VSS, BFD sessions flap after a VSS switchover.

Commands in Task Tables

Commands listed in task tables show only the relevant information for completing the task and not all available options for the command. For a complete description of a command, refer to the command in the Catalyst 4500 Series Switch Cisco IOS Command Reference.

Notices

The following notices pertain to this software license.

OpenSSL/Open SSL Project

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/
).

This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).

This product includes software written by Tim Hudson (tjh@cryptsoft.com).

License Issues

The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact openssl-core@openssl.org.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution.

3. All advertising materials mentioning features or use of this software must display the following acknowledgment: “This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/
)”.

4. The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact openssl-core@openssl.org.

5. Products derived from this software may not be called “OpenSSL” nor may “OpenSSL” appear in their names without prior written permission of the OpenSSL Project.

6. Redistributions of any form whatsoever must retain the following acknowledgment:

“This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/
)”.

THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT “AS IS”' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com).

This package is an SSL implementation written by Eric Young (eay@cryptsoft.com).

The implementation was written so as to conform with Netscapes SSL.

This library is free for commercial and non-commercial use as long as the following conditions are adhered to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com).

Copyright remains Eric Young’s, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

3. All advertising materials mentioning features or use of this software must display the following acknowledgement:

“This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)”.

The word ‘cryptographic’ can be left out if the routines from the library being used are not cryptography-related.

4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: “This product includes software written by Tim Hudson (tjh@cryptsoft.com)”.

THIS SOFTWARE IS PROVIDED BY ERIC YOUNG “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The license and distribution terms for any publicly available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution license [including the GNU Public License].

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly
What’s New in Cisco Product Documentation
, which also lists all new and revised Cisco technical documentation, at:

Subscribe to the
What’s New in Cisco Product Documentation
as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.

This document is to be used in conjunction with the documents listed in the “Notices” section.

All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0711R)